From 6dfcd87c09046ea90218e9b380b6239be7bd2a09 Mon Sep 17 00:00:00 2001
From: Sean Morley <mail@seanmorley.com>
Date: Tue, 13 Jan 2026 22:43:02 -0500
Subject: [PATCH] feat: Add X-Accel-Redirect for serving protected media files
 with security headers

---
 aio/nginx.conf | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/aio/nginx.conf b/aio/nginx.conf
index fe413193..fdf1a625 100644
--- a/aio/nginx.conf
+++ b/aio/nginx.conf
@@ -129,6 +129,20 @@ http {
             proxy_redirect http://127.0.0.1/ $scheme://$http_host/;
         }
 
+        # Serve protected media files with X-Accel-Redirect
+        location /protectedMedia/ {
+            internal; # Only internal requests are allowed
+            alias /code/backend/server/media/;  # This should match Django MEDIA_ROOT
+            try_files $uri =404; # Return a 404 if the file doesn't exist
+            
+            # Security headers for all protected files
+            add_header Content-Security-Policy "default-src 'self'; script-src 'none'; object-src 'none'; base-uri 'none'" always;
+            add_header X-Content-Type-Options nosniff always;
+            add_header X-Frame-Options SAMEORIGIN always;
+            add_header X-XSS-Protection "1; mode=block" always;
+            add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+        }
+
         # Everything else to frontend (SvelteKit)
         location / {
             proxy_pass http://frontend_upstream;